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I. Real Party in Interest 
The real party in interest is Hewlett-Packard Development Company, LP, a 
limited partnership established under the laws of the State of Texas and having a 
principal place of business at 20555 S.H. 249 Houston, TX 77070, U.S.A. 
(hereinafter "HPDC"). HPDC is a Texas limited partnership and is a wholly-owned 
affiliate of Hewlett-Packard Company, a Delaware Corporation, headquartered in 
Palo Alto, CA. The general or managing partner of HPDC is HPQ Holdings, LLC. 
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II. Related Appeals and Interferences 
There are no related appeals or interferences known to the Appellants. 
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Ill, status of Claims 
Claims 1-5, 7-28 and 30-33 stand rejected. Claims 1-5, 7-28 and 30-33 are 
pending. Claims 6 and 29 have been cancelled. This appeal involves Claims 1-5, 7- 
28 and 30-33. 
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IV. status of Amendments 
All proposed amendments have been entered. Therefore, the Clean Copy of 
the Claims on Appeal in Section VIII of the instant Appeal Brief does reflect the 
proposed amendments. 
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V. Summary of Claimed Subject Matter 



Independent Claim 1 recites, "A method for responding to network 
intrusions," which is described, according to various embodiments, at least at page 16 
lines 11 through page 17 line 9, Figure 4. "a) receiving an intrusion detection system 
(IDS) alert from an IDS sensor located in a network of computing resources, wherein 
said IDS alert indicates an unauthorized intrusion upon a remotely located computing 
resource in said network of computing resources, wherein said remotely located 
computing resource is modified by said unauthorized intrusion," is described, 
according to various embodiments, at least at 410 on Figure 4, page 16 lines 11-18, 
page 10 lines 12-17, and page 11 line 15. "b) identifying said IDS alert," is described, 
according to various embodiments, at least at 420 on Figure 4 and page 16 lines 24- 
29. "c) determining an appropriate response to said IDS alert that is identified at a 
location separate from said remotely located computing resource so that said 
determining said appropriate response is unaffected by said unauthorized intrusion," is 
described, according to various embodiments, at least at 430 on Figure 4 and page 17 
lines 7-9. "d) automatically implementing said appropriate response to mitigate 
damage to said network of computing resources from said unauthorized intrusion by 
isolating said remotely located computing resource, wherein said implementing said 
appropriate response comprises interfacing with a power controller that controls power 
to said computing resource to shut power to said computing resource," is described, 
according to various embodiments, at least at 440 on Figure 4, page 17 lines 7-9, 
original Claim 12 and original Claim 6. 

Independent Claim 12 recites, "A method for responding to network 
intrusions," which is described, according to various embodiments, at least at page 16 
lines 11 through page 17 line 9, Figure 4. "a) receiving an intrusion detection system 
(IDS) alert from an IDS sensor in a network of computing resources at a location 
separate from an infected computing resource, wherein said IDS alert indicates an 
unauthorized intrusion upon said infected computing resource in said network of 
computing resources, wherein implementation of a response to said IDS alert is 
unaffected by said unauthorized intrusion and wherein said unauthorized intrusion 
caused said computing resource to become infected," is described, according to 
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various embodiments, at least at 410 on Figure 4, page 1 6 lines 11-18, page 1 0 lines 
12-17, and page 1 1 line 15. "b) responding to said IDS alert by automatically 
interfacing with at least one switch in said network of computing resources to virtually 
reconfigure said at least one switch, an associated switch, in order to virtually isolate 
said computing resource from remaining computing resources in said network of 
computing resources," is described, according to various embodiments, at least at 440 
on Figure 4, and page 17 lines 9-24. "c) responding to said IDS alert by automatically 
interfacing with a power controller that controls power to said computing resource to 
shut power to said computing resource," is described, according to various 
embodiments, at least at 540 and 550 on page 5 and page 19 lines 19-27. 

Independent Claim 23 recites, "A computer system," which is described, 
according to various embodiments, at least at page 16 lines 1 1 through page 17 line 9, 
Figure 4. "A bus for communicating information associated with a method for 
responding to network intrusions; a processor coupled to said bus for processing said 
information associated with said method for responding to network intrusions; and a 
computer readable memory coupled to said processor containing program 
instructions, that when executed by said processor, implement said method for 
responding to network intrusions," is described, according to various embodiments, at 
least at page 6 line 18 to page 7 line 21 and Figure 4. "a) receiving an intrusion 
detection system (IDS) alert from an IDS sensor located in a network of computing 
resources, wherein said IDS alert indicates an unauthorized intrusion upon a remotely 
located computing resource in said network of computing resources, wherein said 
remotely located computing resource is modified by said unauthorized intrusion," is 
described, according to various embodiments, at least at 410 on Figure 4, page 16 
lines 11-18, page 10 lines 12-17, and page 11 line 15. "b) identifying said IDS alert," 
is described, according to various embodiments, at least at 420 on Figure 4, and page 
16 lines 24-29. "c) determining an appropriate response to said IDS alert that is 
identified at a location separate from said remotely located computing resource so that 
said determining said appropriate response is unaffected by said unauthorized 
intrusion," is described, according to various embodiments, at least at 430 on Figure 4, 
and page 17 lines 7-9. "d) automatically implementing said appropriate response to 
mitigate damage to said network of computing resources from said unauthorized 
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intrusion by isolating said remotely located computing resource, wherein said 
implementing said appropriate response comprises interfacing with at least one 
switch, an associated switch, in said network of computing resources to virtually 
reconfigure said associated switch in order to virtually isolate said computing resource 
from remaining computing resources in said network of computing resources," is 
described, according to various embodiments, at least at 440 on Figure 4, page 17 
lines 7-9, original Claim 12 and original Claim 6. 
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VI. Grounds of Rejection to Be Reviewed on Appeal 
1 . Claims 1-5, 7-28 and 30-33 stand rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. Patent Application Publication No. 2004/0148520 by Talpade 
et al. (referred to herein as "Talpade") in view of U.S. Patent Application Publication 
No. 2003/0208606 by Maguire et al. (referred to herein as "Maguire") and further in 
view of Appellant's background. 
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VII. Argument 

1 ■ Whether Claims 1-5, 7-28 and 30-33 Are Patentable Under 35 U.S.C. 103(3) 
OverTalpade, Maguire and Background 

Claims 1-5, 7-28 and 30-33 stand rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. Patent Application Publication No. 2004/0148520 by Talpade 
et al. (referred to herein as "Talpade") in view of U.S. Patent Application Publication 
No. 2003/0208606 by Maguire et al. (referred to herein as "Maguire") and further in 
view of Appellant's background. Appellant has reviewed the asserted art and 
respectfully submits that the asserted art does not teach or suggest Claims 1-5, 7-28 
and 30-33 for at least the following reasons. 

"As reiterated by the Supreme Court in KSR, the framework for the objective 
analysis for determining obviousness under 35 U.S.C. 103 is stated in Graham v. John 
Deere Co., 383 U.S. 1, 148 USPQ 459 (1966). Obviousness is a question of law based 
on underlying factual inquiries" including "[a]scertaining the differences between the 
claimed invention and the prior art" (MPEP 2141(11)). "In determining the differences 
between the prior art and the claims, the question under 35 U.S.C. 103 is not whether 
the differences themselves would have been obvious, but whether the claimed 
invention as a whole w ould have been obvious" (emphasis in original; MPEP 
2141.02(1)). 

Appellant notes that "[t]he prior art reference (or references when combined) 
need not teach or suggest all the claim limitations, however. Office personnel must 
explain whv the difference(s) between the prior art and the claimed invention would 
have been obvious to one of ordinarv skill in the art " (emphasis added; MPEP 
2141(1!!)). 

Appellant respectfully submits that "[i]t is improper to combine references 
where the references teach awav from their combination" (emphasis added; MPEP 
2145(X)(D)(2); In re Grasselli, 713 F.2d 731, 743, 218 USPQ 769, 779 (Fed. Cir. 
1983)). Appellant respectfully notes that "[a] prior art reference must be considered 
in its entirety, i.e., as a whole, including portions that would lead away from the 
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claimed invention" (emphasis in original; MPEP 2141.02(VI); W.L. Gore & 
Associates, Inc. v. Garlock, Inc., 721 F.2d 1540, 220 USPQ 303 (Fed. Cir. 1983), 
cert, denied, 469 U.S. 851 (1984)). Further, "[a] reference will teach away if it 
suggests that the line of development flowing from the reference's disclosures is 
unlikely to be productive of the result sought by the applicant. In re Gurley, 31 
USPQ2d 1 130 (Fed. Cir. 1994)." Appellant respectfully submits that there is no 
motivation to combine the teachings of Talpade and Maguire, because both Talpade 
and Maguire teach awav from the suggested modification. 

CLAIM 1 

Appellant respectfully submits that both Talpade and Maguire teach awav 
from "wherein said remotely located computing resource is modified by said 
unauthorized intrusion," as recited by Claim 1. 

For example, Talpade states in the last sentence of 0002 (emphasis added), 
"More particularly, our invention relates to detecting DDoS attacks directed at 
edge/customer networks and to mitigating such attacks by redirecting the DDoS and 
non-DDoS traffic within a service providers network and then selectively removing 
the DDoS traffic before it reaches the edge/customer networks." 

Accordingly, Appellant understands Talpade to teach detecting attacks and 
removing the attacks from the traffic before the attacks reach the customer's network 
(see Talpade last sentence of 0002 quoted herein). 

Appellant respectfully submits that detecting attacks and removing the attacks 
from the traffic before the attacks reach the customer's network teaches awav from 
"wherein said remotely located computing resource is modified by said unauthorized 
intrusion," (emphasis added) as recited by Claim 1 . 

Appellant respectfully submits that Talpade does not teach or suggest, 
"...isolating said remotely located computing resource," as recited by Claim 1 . 
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For example, from line 14 of paragraph 0008 to the end of paragraph 0010, 
Talpade states. 

When the sensor detects an attack, it notifies an analysis engine located in 
the ISP... The analysis engine ... advertises new routing information to the 
border and edge routers ... The new routing information instructs the border 
and edge routers to reroute all DDoS, and non-DDoS traffic... The redirected 
DDoS and non-DDoS traffic from the border and edge routers is automatically 
passed through these filters, removing the DDoS traffic . The non-DDoS traffic 
is forwarded back onto the ISP network and routed towards the customer 
network , (emphasis added) 

Talpade further states, in part, at 0009, "Upon receiving an attack notification and 
based on the customer network being attacked, the analysis engine configures one 
or more filter routers, which are also located in the ISP network... The analysis 
engine configures the filter router(s) to advertise new routing information to the 
border and edge routers using the eBGP session." Further still, Talpade states in 
paragraph 0017 lines 1-3, "In accordance with our invention, the sensors 234/236 
monitor aN traffic entering the customer networks 204/206 from the ISP network 
202... " (emphasis added). 



Accordingly, Appellant understands Talpade to teach detecting an attack on a 
customer's network before any of the resources in the customer's network are 
affected (see Talpade last sentence of 0002) by monitoring all traffic entering the 
customer network and if an attempted attack is detected then rerouting the traffic to 
the ISP where the attacks are removed from the traffic and the non-attack traffic is 
rerouted back into the customer network (see Talpade line 14 of paragraph 0008 to 
the end of paragraph 0010, 0009 in part, 0017 lines 1-3 quoted herein). Since 
Appellant understands Talpade to teach that the attacks are detected and removed 
before any resources in the customer's network are affected, Appellant respectfully 
submits that Talpade teaches away from "isolating said remotely located computing 
resource," as recited by Claim 1 . 

Appellant respectfully submits that Maguire does not remedy the deficiencies 
in Talpade because Appellant understands Maguire to also teach away from 
"wherein said remotely located computing resource is modified by said unauthorized 
intrusion," as recited by Claim 1 . For example, Maguire states in the last two lines of 
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the abstract (emphasis added), ". .. preventing network access to confidential data 



resident on the isolated network client." Maguire also states at 0006 lines 7-17, 

...Additionally, nnany corporate or private networks are coupled 
by one or more servers to the Internet; access to one server through 
the Internet may enable unimpeded access to all intranet data resident 
at every network node. Further, many corporate computers are never 
powered down, even when unattended for extended periods of time 
such as during evening hours, business holidays, and weekends. 
Consequently, proprietary corporate data and other information 
resident on these computers remain vulnerable to unauthorized access 
as long as the computers are receiving power and the network 
connection is established, i.e., continuously. 

Maguire further states at 0025 lines 11-14, "Generally, the risk of an unauthorized 

hack or other security breach is greatest when access device 1 1 1 is continuously 

'on-line' (i.e., 'coupled' with or 'connected' to the network)." Maguire also states at 

0033 lines 4-18 (emphasis added), 

...The signal may be generated by a sensor 220 (see FIG. 2B, 
for example) operative to detect the presence of a user at client 112, 
for instance; when the sensor determines that the user is no longer 
present at client 112, the sensor may transmit a signal to isolate 
apparatus representative of the fact that client 112 has been left 
unattended.... Conversely, when the user returns (or a different user 
arrives), the sensor may detect such an arrival and transmit a signal to 
isolation apparatus 210 representative of the fact that client 1 12 is no 
longer unattended; responsive to such a signal, switch 321 may enable 
communication through interface 320. 

Accordingly, Appellant understands Maguire to teach powering down before a device 
is modified in order to prevent the device from being modified (see Maguire 0006 
lines 7-17, 0025 lines 11-14, 0033 lines 4-18 quoted herein). Appellant respectfully 
submits that powering down before a device is modified in order to prevent the 
device from being modified teaches away from "wherein said remotely located 
computing resource is modified by said unauthorized intrusion," as recited by Claim 



Appellant respectfully submits that Appellant's background cannot be used to 
remedy the deficiencies in the Talpade Maguire combination for at least the reasons 
that there is no motivation to combine Talpade and Maguire with each other, or with 
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any other asserted art, because Talpade and Maguire teach away from Claim 1 , as 
discussed herein. 

For at least these reasons, Appellant respectfully submits that Claim 1 is 
patentable for at least the reasons that Appellant understands both Talpade and 
Maguire to teach away from Claim 1 . 

CLAIM 12 

Appellant respectfully submits that both Talpade and Maguire teach away 
from "wherein said unauthorized intrusion caused said computing resource to 
become infected," as recited by Claim 12. 

For example, Talpade states in the last sentence of 0002 (emphasis added), 
"More particularly, our invention relates to detecting DDoS attacks directed at 
edge/customer networks and to mitigating such attacks by redirecting the DDoS and 
non-DDoS traffic within a service providers network and then selectively removing 
the DDoS traffic before it reaches the edge/customer networks." 

Accordingly, Appellant understands Talpade to teach detecting attacks and 
removing the attacks from the traffic before the attacks reach the customer's network 
(see Talpade last sentence of 0002 quoted herein). 

Appellant respectfully submits that detecting attacks and removing the attacks 
from the traffic before the attacks reach the customer's network teaches awav from 
"wherein said unauthorized intrusion caused said computing resource to become 
infected," (emphasis added) as recited by Claim 12. 

Appellant respectfully submits that Talpade does not teach or suggest, 
"isolate said computing resource from remaining computing resources in said 
network of computing resources," as recited by Claim 12. 

For example, from line 14 of paragraph 0008 to the end of paragraph 0010, 
Talpade states, 
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When the sensor detects an attack, it notifies an analysis engine located in 
the ISP... The analysis engine ... advertises new routing information to the 
border and edge routers ... The new routing information instructs the border 
and edge routers to reroute all DDoS, and non-DDoS traffic... The redirected 
DDoS and non-DDoS traffic from the border and edge routers is automatically 
passed through these filters, removing the DDoS traffic . The non-DDoS traffic 
is forwarded back onto the ISP network and routed towards the customer 
network , (emphasis added) 

Talpade further states, in part, at 0009, "Upon receiving an attack notification and 
based on the customer network being attacked, the analysis engine configures one 
or more filter routers, which are also located in the ISP network... The analysis 
engine configures the filter router(s) to advertise new routing information to the 
border and edge routers using the eBGP session." Further still, Talpade states in 
paragraph 0017 lines 1-3, "In accordance with our invention, the sensors 234/236 
monitor all traffic entering the customer networks 204/206 from the ISP network 
202. ■■ " (emphasis added). 

Accordingly, Appellant understands Talpade to teach detecting an attack on a 
customer's network before any of the resources in the customer's network are 
affected (see Talpade last sentence of 0002) by monitoring all traffic entering the 
customer network and if an attempted attack is detected then rerouting the traffic to 
the ISP where the attacks are removed from the traffic and the non-attack traffic is 
rerouted back into the customer network (see Talpade line 14 of paragraph 0008 to 
the end of paragraph 0010, 0009 in part, 0017 lines 1-3 quoted herein). Since 
Appellant understands Talpade to teach that the attacks are detected and removed 
before any resources in the customer's network are affected, Appellant respectfully 
submits that Talpade teaches awav from "isolating said remotely located computing 
resource," as recited by Claim 12. 

Appellant respectfully submits that Maguire does not remedy the deficiencies 
in Talpade because Appellant understands Maguire to also teach awav from 
"wherein said unauthorized intrusion caused said computing resource to become 
infected," as recited by Claim 12. For example, Maguire states in the last two lines 
of the abstract (emphasis added), "... preventing network access to confidential data 
resident on the isolated network client." Maguire also states at 0006 lines 7-17, 
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...Additionally, many corporate or private networks are coupled 
by one or more servers to the Internet; access to one server through 
the Internet may enable unimpeded access to all intranet data resident 
at every network node. Further, many corporate computers are never 
powered down, even when unattended for extended periods of time 
such as during evening hours, business holidays, and weekends. 
Consequently, proprietary corporate data and other information 
resident on these computers remain vulnerable to unauthorized access 
as long as the computers are receiving power and the network 
connection is established, i.e., continuously. 

Maguire further states at 0025 lines 11-14, "Generally, the risk of an unauthorized 

hack or other security breach is greatest when access device 1 1 1 is continuously 

'on-line' (i.e., 'coupled' with or 'connected' to the network)." Maguire also states at 

0033 lines 4-18 (emphasis added), 

...The signal may be generated by a sensor 220 (see FIG. 2B, 
for example) operative to detect the presence of a user at client 112, 
for instance; when the sensor determines that the user is no longer 
present at client 112, the sensor may transmit a signal to isolate 
apparatus representative of the fact that client 112 has been left 
unattended.... Conversely, when the user returns (or a different user 
arrives), the sensor may detect such an arrival and transmit a signal to 
isolation apparatus 210 representative of the fact that client 1 12 is no 
longer unattended; responsive to such a signal, switch 321 may enable 
communication through interface 320. 

Accordingly, Appellant understands Maguire to teach powering down before a device 
is modified in order to prevent the device from being modified (see Maguire 0006 
lines 7-17, 0025 lines 11-14, 0033 lines 4-18 quoted herein). Appellant respectfully 
submits that powering down before a device is modified in order to prevent the 
device from being modified teaches awav from "wherein said unauthorized intrusion 
caused said computing resource to become infected," as recited by Claim 12. 



Appellant respectfully submits that Appellant's background cannot be used to 
remedy the deficiencies in the Talpade Maguire combination for at least the reasons 
that there is no motivation to combine Talpade and Maguire with each other, or with 
any other asserted art, because Talpade and Maguire teach away from Claim 12, as 
discussed herein. 
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For at least these reasons, Appellant respectfully submits that Claim 12 is 
patentable for at least the reasons that Appellant understands both Talpade and 
Maguire to teach away from Claim 12. 

CLAIM 23 

Appellant respectfully submits that both Talpade and Maguire teach away 
from "wherein said remotely located computing resource is modified by said 
unauthorized intrusion," as recited by Claim 23. 

For example, Talpade states in the last sentence of 0002 (emphasis added), 
"More particularly, our invention relates to detecting DDoS attacks directed at 
edge/customer networks and to mitigating such attacks by redirecting the DDoS and 
non-DDoS traffic within a service providers network and then selectively removing 
the DDoS traffic before it reaches the edge/customer networks." 

Accordingly, Appellant understands Talpade to teach detecting attacks and 
removing the attacks from the traffic before the attacks reach the customer's network 
(see Talpade last sentence of 0002 quoted herein). 

Appellant respectfully submits that detecting attacks and removing the attacks 
from the traffic before the attacks reach the customer's network teaches away from 
"wherein said remotely located computing resource is modified by said unauthorized 
intrusion," (emphasis added) as recited by Claim 23. 

Appellant respectfully submits that Talpade does not teach or suggest, 
"...isolating said remotely located computing resource," as recited by Claim 23. 

For example, from line 14 of paragraph 0008 to the end of paragraph 0010, 
Talpade states. 

When the sensor detects an attack, it notifies an analysis engine located in 
the ISP... The analysis engine ... advertises new routing information to the 
border and edge routers ... The new routing information instructs the border 
and edge routers to reroute all DDoS, and non-DDoS traffic... The redirected 
DDoS and non-DDoS traffic from the border and edge routers is automatically 
passed through these filters, removing the DDoS traffic . The non-DDoS traffic 
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is forwarded back onto the ISP network and routed towards the customer 



network , (emphasis added) 



Talpade further states, in part, at 0009, "Upon receiving an attack notification and 
based on the customer network being attacked, the analysis engine configures one 
or more filter routers, which are also located in the ISP network... The analysis 
engine configures the filter router(s) to advertise new routing information to the 
border and edge routers using the eBGP session." Further still, Talpade states in 
paragraph 0017 lines 1-3, "In accordance with our invention, the sensors 234/236 
monitor all traffic entering the customer networks 204/206 from the ISP network 
202... " (emphasis added). 

Accordingly, Appellant understands Talpade to teach detecting an attack on a 
customer's network before any of the resources in the customer's network are 
affected (see Talpade last sentence of 0002) by monitoring all traffic entering the 
customer network and if an attempted attack is detected then rerouting the traffic to 
the ISP where the attacks are removed from the traffic and the non-attack traffic is 
rerouted back into the customer network (see Talpade line 14 of paragraph 0008 to 
the end of paragraph 0010, 0009 in part, 0017 lines 1-3 quoted herein). Since 
Appellant understands Talpade to teach that the attacks are detected and removed 
before any resources in the customer's network are affected. Appellant respectfully 
submits that Talpade teaches awav from "isolating said remotely located computing 
resource," as recited by Claim 23. 

Appellant respectfully submits that Maguire does not remedy the deficiencies 

in Talpade because Appellant understands Maguire to also teach awav from 

"wherein said remotely located computing resource is modified by said unauthorized 

intrusion," as recited by Claim 23. For example, Maguire states in the last two lines 

of the abstract (emphasis added), ".. . preventing network access to confidential data 

resident on the isolated network client." Maguire also states at 0006 lines 7-17, 

...Additionally, many corporate or private networks are coupled 
by one or more servers to the Internet; access to one server through 
the Internet may enable unimpeded access to all intranet data resident 
at every network node. Further, many corporate computers are never 
powered down, even when unattended for extended periods of time 
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such as during evening hours, business holidays, and weekends. 
Consequently, proprietary corporate data and other information 
resident on these computers remain vulnerable to unauthorized access 
as long as the computers are receiving power and the network 
connection is established, i.e., continuously. 

Maguire further states at 0025 lines 11-14, "Generally, the risk of an unauthorized 

hack or other security breach is greatest when access device 1 1 1 is continuously 

'on-line' (i.e., 'coupled' with or 'connected' to the network)." Maguire also states at 

0033 lines 4-18 (emphasis added), 

...The signal may be generated by a sensor 220 (see FIG. 2B, 
for example) operative to detect the presence of a user at client 112, 
for instance; when the sensor determines that the user is no longer 
present at client 112, the sensor may transmit a signal to isolate 
apparatus representative of the fact that client 112 has been left 
unattended.... Conversely, when the user returns (or a different user 
arrives), the sensor may detect such an arrival and transmit a signal to 
isolation apparatus 210 representative of the fact that client 1 12 is no 
longer unattended; responsive to such a signal, switch 321 may enable 
communication through interface 320. 

Accordingly, Appellant understands Maguire to teach powering down before a device 
is modified in order to prevent the device from being modified (see Maguire 0006 
lines 7-17, 0025 lines 11-14, 0033 lines 4-18 quoted herein). Appellant respectfully 
submits that powering down before a device is modified in order to prevent the 
device from being modified teaches away from "wherein said remotely located 
computing resource is modified by said unauthorized intrusion," as recited by Claim 
23. 

Appellant respectfully submits that Appellant's background cannot be used to 
remedy the deficiencies in the Talpade Maguire combination for at least the reasons 
that there is no motivation to combine Talpade and Maguire with each other, or with 
any other asserted art, because Talpade and Maguire teach away from Claim 23, as 
discussed herein. 



For at least these reasons, Appellant respectfully submits that Claim 23 is 
patentable for at least the reasons that Appellant understands both Talpade and 
Maguire to teach away from Claim 23. 
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RESPONSE TO ARGUMENTS 
Appellant respectfully notes that the Examiner failed to respond to Appellant's 
arguments about Talpade and Maguire teaching away from Claim 1 . For example, 
the Examiner did not provide any reasons as to why the Examiner thought 
Appellant's was wrong in arguing that both Talpade and Maguire teach away from 
"wherein said remotely located computing resource is modified by said unauthorized 
intrusion," as recited by Claim 1 and Talpade teaches away from "isolating said 
remotely located computing resource," as recited by Claim 1 . Therefore, Appellant 
respectfully submits that the Examiner was not fully responsible to Appellant's 
arguments, and, for this reason, it was improper to make the Office Action mailed 
October 19, 201 1 final. Appellant respectfully requests that the Examiner fully 
respond to Appellant's arguments in future communications. 

SUMMARY 

Claims 2-5 and 7-1 1 depend on independent Claim 1 . Claims 13-22 depend 
on independent Claim 12. Claims 24-28 and 30-33 depend on independent Claim 
23. These dependent claims include all of the features of their respective 
independent base claims. Therefore, Appellant respectfully submits that these 
dependent claims are patentable for at least the reasons that their respective 
independent base claims are patentable. 
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Conclusion 

Appellant believes that pending Claims 1-5, 7-28 and 30-33 are patentable 
overTalpade, Maguire and background. As such, Appellant submits that Claims 1-5, 
7-28 and 30-33 are patentable over the asserted art. 

Appellant respectfully requests that the rejection of Claims 1-5, 7-28 and 30- 
33 be reversed. The Appellant wishes to encourage the Examiner or a member of 
the Board of Patent Appeals to telephone the Appellant's undersigned representative 
if it is felt that a telephone conference could expedite prosecution. 

Respectfully submitted, 
Wagner Blecher LLP 



Dated: 02/21/2012 /John P. Waaner, Jr./ 

John P. Wagner, Jr. 
Registration No.: 35,398 

Wagner Blecher LLP 
Westridge Business Park 
1 23 Westridge Drive 
Watsonville, CA 95076 



Phone: (408) 377-0500 
Facsimile: (831 ) 722-2350 
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VIII. Appendix - Clean Copy of Claims on Appeal 



1 . A method for responding to network intrusions, comprising: 

a) receiving an intrusion detection system (IDS) alert from an IDS sensor 
located in a network of computing resources, wherein said IDS alert indicates an 
unauthorized intrusion upon a remotely located computing resource in said network of 
computing resources, wherein said remotely located computing resource is modified 
by said unauthorized intrusion; 

b) identifying said IDS alert; and 

c) determining an appropriate response to said IDS alert that is identified at a 
location separate from said remotely located computing resource so that said 
determining said appropriate response is unaffected by said unauthorized intrusion; 
and 

d) automatically implementing said appropriate response to mitigate damage to 
said network of computing resources from said unauthorized intrusion by isolating said 
remotely located computing resource, wherein said implementing said appropriate 
response comprises interfacing with a power controller that controls power to said 
computing resource to shut power to said computing resource. 

2. The method of Claim 1 , wherein a) further comprises: 

a1) detecting a suspicious intrusion into said computing resource; 
a2) determining said suspicious intrusion is unauthorized; 
a3) generating said IDS alert; and 

a4) sending said IDS alert to an IDS manager that is located remotely from 
said computing resource within said network of computing resources. 

3. The method of Claim 2, wherein a2) further comprises: 
determining said suspicious intrusion is unauthorized when said suspicious 

intrusion matches with at least one of a list of unauthorized intrusions. 

4. The method of Claim 2, wherein a1) comprises: 
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detecting said suspicious intrusion at a host-based intrusion detection system 
(HIDS) sensor located on said computing resource. 

5. The method of Claim 2, wherein a1) comprises: 
detecting said suspicious intrusion at a network-based intrusion detection 
system (NIDS) sensor located within said network of computing resources. 

7. The method of Claim 1 , wherein d) further comprises: 

d1) interfacing with at least one switch, an associated switch, in said network of 
computing resources to virtually reconfigure said associated switch in order to virtually 
isolate said computing resource from remaining computing resources in said network 
of computing resources. 

8. The method of Claim 7, wherein said associated switch comprises an 
Ethernet switch. 

9. The method of Claim 7, wherein said associated switch comprises a 
Storage Area Network (SAN) switch. 

1 0. The method of Claim 7, wherein said at least one switch comprises a SAN 
switch and an Ethernet switch. 

1 1 . The method of Claim 1 , wherein said network of computing resources 
comprises a provisional data center. 

12. A method for responding to network intrusions, comprising: 

a) receiving an intrusion detection system (IDS) alert from an IDS sensor in a 
network of computing resources at a location separate from an infected computing 
resource, wherein said IDS alert indicates an unauthorized intrusion upon said infected 
computing resource in said network of computing resources, wherein implementation 
of a response to said IDS alert is unaffected by said unauthorized intrusion and 
wherein said unauthorized intrusion caused said computing resource to become 
infected; 
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b) responding to said IDS alert by automatically interfacing with at least one 
switch in said network of computing resources to virtually reconfigure said at least one 
switch, an associated switch, in order to virtually isolate said computing resource from 
remaining computing resources in said network of computing resources; and 

c) responding to said IDS alert by automatically interfacing with a power 
controller that controls power to said computing resource to shut power to said 
computing resource. 

13. The method of Claim 12, wherein a) further comprises: 

a1) detecting a suspicious intrusion into said computing resource; 
a2) determining said suspicious intrusion is unauthorized; 
a3) generating said IDS alert; and 

a4) sending said IDS alert to an IDS manager that is located remotely from 
said computing resource within said network of computing resources. 

14. The method of Claim 1 3, wherein a2) further comprises: 
determining said suspicious intrusion is unauthorized when said suspicious 

intrusion matches with at least one of a list of unauthorized intrusions. 

1 5. The method of Claim 1 3, wherein a1 ) comprises: 

detecting said suspicious intrusion at a host-based intrusion detection system 
(HIDS) sensor located on said computing resource. 

1 6. The method of Claim 1 3, wherein a1 ) comprises: 

detecting said suspicious intrusion at a network-based intrusion detection 
system (NIDS) sensor located within said network of computing resources. 

17. The method of Claim 12, wherein said network of computing resources 
comprises a provisional data center. 

18. The method of Claim 12, wherein said switch couples said computing 
resource to a virtual local area network. 
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19. The method of Claim 12, wherein said switch comprises an Ethernet 

switch. 

20. The method of Claim 12, wherein said associated switch comprises a 
Storage Area Network (SAN) switch. 

21 . The method of Claim 12, wherein said at least one switch comprises a 
SAN switch and an Ethernet switch. 

22. The method of Claim 12, wherein further comprising: 
automatically interfacing with said associated switch in said network of 

computing resources; and 

automatically interfacing with said power controller. 

23. A computer system comprising: 

a bus for communicating information associated with a method for responding 
to network intrusions; 

a processor coupled to said bus for processing said information associated 
with said method for responding to network intrusions; and 

a computer readable memory coupled to said processor containing program 
instructions, that when executed by said processor, implement said method for 
responding to network intrusions, comprising: 

a) receiving an intrusion detection system (IDS) alert from an IDS sensor 
located in a network of computing resources, wherein said IDS alert indicates an 
unauthorized intrusion upon a remotely located computing resource in said network of 
computing resources, wherein said remotely located computing resource is modified 
by said unauthorized intrusion; 

b) identifying said IDS alert; and 

c) determining an appropriate response to said IDS alert that is identified at a 
location separate from said remotely located computing resource so that said 
determining said appropriate response is unaffected by said unauthorized intrusion; 
and 
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d) automatically implementing said appropriate response to mitigate damage 
to said network of computing resources from said unauthorized intrusion by isolating 
said remotely located computing resource, wherein said implementing said 
appropriate response comprises interfacing with at least one switch, an associated 
switch, in said network of computing resources to virtually reconfigure said 
associated switch in order to virtually isolate said computing resource from remaining 
computing resources in said network of computing resources. 

24. The computer system of Claim 23, wherein a) in said method further 
comprises: 

a1) detecting a suspicious intrusion into said computing resource; 
a2) determining said suspicious intrusion is unauthorized; 
a3) generating said IDS alert; and 

a4) sending said IDS alert to an IDS manager that is located remotely from 
said computing resource within said network of computing resources. 

25. The computer system of Claim 24, wherein a2) in said method further 
comprises: 

determining said suspicious intrusion is unauthorized when said suspicious 
intrusion matches with at least one of a list of unauthorized intrusions. 

26. The computer system of Claim 24, wherein a1) in said method comprises: 
detecting said suspicious intrusion at a host-based intrusion detection system 

(HIDS) sensor located on said computing resource. 

27. The computer system of Claim 24, wherein a1 ) in said method comprises: 
detecting said suspicious intrusion at a network-based intrusion detection 

system (NIDS) sensor located within said network of computing resources. 

28. The computer system of Claim 23, wherein d) in said method further 
comprises: 

d1 ) interfacing with a power controller that controls power to said computing 
resource to shut power to said computing resource. 
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30. The computer system of Claim 23, wherein said associated switch 
comprises an Ethernet switch. 

31 . The computer system of Claim 23, wherein said associated switch 
comprises a Storage Area Network (SAN) switch. 

32. The computer system of Claim 23, wherein said at least one switch 
comprises a SAN switch and an Ethernet switch. 

33. The computer system of Claim 23, wherein said network of computing 
resources comprises a provisional data center. 
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IX. Evidence Appendix 
No evidence is lierein appended. 
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X. Related Proceedings Appendix 
No related proceedings. 
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